Annex 3

Examples of institutional practices to protect customer passwords

Given the importance and sensitivity of customer passwords and that some online attacks (e.g., brute force, guessing passwords) might attempt to crack or intercept customers' passwords, it is important that AIs should implement adequate measures to protect the passwords of their customers. This is particularly important for AIs using only customer IDs (e.g., account numbers) and passwords to authenticate their customers.

This Annex provides AIs with some recommended sound practices for protecting the passwords of their customers. Please note that some recommendations may also be applicable to safeguarding the passwords of AIs' internal personnel.

(a)AIs should implement their systems to set minimum length for customers' passwords and consider the need to restrict the format of passwords to combinations including both numeric and alphabetic characters. These measures would increase the difficulty of guessing or cracking the passwords;

(b)AIs should consider the need for their systems to mandate or remind their customers to periodically change their passwords, and prevent their customers from reusing previously used passwords;

(c)The customershould be suspended, pending administrator intervention, after a defined number of incorrect attempts at login. Such suspensions should be recorded and reviewed in a timely manner;

(d)AIs should issue to customers their customer IDs and passwords separately so that it would be difficult for any other third parties to associate the passwords with the customer IDs. AIs should also develop procedures to validate that the customers have received the customer IDs and passwords before these can be used for accessing the systems; and

(e)While passwords entered by customers should not be displayed in the login screen, some application development tools may allow automatic memorisation of the last customer IDs and passwords entered in the login screen so that the users can easily log into the systems. AIs should not implement or allow such features.

- 1 -